On Sat, 26 Oct 2002, Sylvain Petreolle wrote:
> I disagree here.
> one anti debug / hiding technique is :
> 1)set regs
> 1a) push 3) location on the stack.
> 2) jump to 80h
> then the "iret" instruction in int 80h will jump to 3)
Well, while I agree with the general sentiment, this is technically not
quite right. In i386 protected mode, you cannot jump directly to code with
a different privilege level (it'd cause a GPF/SIGSEGV to try), it must be
done through a "gate" (typically an interrupt). Passing through such a
privilege-transition gate also implies switching to a similarly-privileged
stack (before the return address is pushed), so you cannot push your own
return address onto the kernel's privileged stack. And you probably can't
even get the address of the kernel interrupt handler (the IDT can be
protected from being read). This doesn't make Wine any more secure though,
of course...